The Puchi Herald Reblog

A reblogging blog

It is time for research to think about security and privacy

It is time for research to think about security and privacy

We usually talk about cyber security and privacy related to the world of industry and personal, but today I would make some points related to research in universities.

how much security aware are universities?

This is an interesting topics, looking at the statistics on cyber security attacks I would say security and privacy awareness is not at the first point in their needs.

So bad …

well first of all let’s make a little distinction:

engineering vs the rest

it is out of doubt that engineering universities and research are more cyber security savvy than the rest. Some of them are also actively working and studying the the issue.

but nevertheless the overall cyber security and privacy approach, beside the ones actively working on the subject, is poorly implemented. on the other end engineering universities are full of guys playing with the fire … some will be the defenders of tomorrow, some are the hacker of today (hacker is not necessarily a bad term).

the rest is in a questionable situation, both cyber security and privacy lack of vision and willingness to address the point. even if there are areas that deal with very sensitive data, think healthcare industry.

the result is under our nose, a lot of people with great skills and knowledge on a lot of different subject completely unaware of the consequences of digitalization…. why do you think is so easy to break into healthcare systems, law firms and so on?….

The research issue

there was a time where being a scientist was putting your life at stake, was not easy to be Galileo Galilei at his time. But I hope that anyone with a brain can agree on the fact that science was mandatory to develop our society and way of life.  Science play an important role on human development, and I took science with the largest meaning…not only technology or physics, but medicine,  economy, social science, history, literature, philosophy … in a way culture … the connection and ramification of science with art, as an example, are undeniable… so we should ask ourselves if there can be a world without science.

But science is based on theories more than faith, trials more than prayers, and therefore need a solid trusted based …

the trust is no more here

In this security and privacy unaware environment seldom researchers that are not security focused put attention to security, but nowadays research environment and criminal landscape and geo_political warfare would suggest a different approach. if some years ago the word of a scientist was respected, nowadays seems that politics take over science and data and result are not what they are, consequences of studies and trial, but things are what your political beliefs want it to be.

so we see a rising of “creationists” or other religious para-scientific accreditation as “scientific”, as well the denial of scientific evidence in the name of political or religious beliefs (think at global warming as an example).

When you start a research you need, basically, to start collecting and managing data, use some computational power, share those data with peers…. but those data, those exchanges are what we should take a look for also in terms of privacy and security.

Depending on the nature of the research you can have direct evident privacy and security implications, but even if you are working on not apparently key areas you should put some precautions on the table. Let quickly try to explain why:

data are important

Data are what you have to work on, you sample, collect, store, analyze, transform data.

In a trusted environment you can avoid to care too much, come on i trust you and you trust the others so what can be wrong… but this is no more the reality.

  1. if your data have some kind of value (and i think they have, or you would not use them) you should protect them
  2. if your data are needed to prove your point you should be able to ensure they are reliable
  3. if your data need to be exchanged with others you should be sure what you transmit is what they get, and what you receive comes from a equally trusted source and data itself are trustable.
  4. if you work worth something may be you want some intellectual property on it, and therefore you have to be sure your result are not repudiable, subject to copy or used and\or modified without your knowledge

those 4 points are the the main areas where you should put privacy and security into the equation no matter what your research is.

what is the value?

Every time you have to invest something you make a tradeoff between the invested monetary resources and the expected output. in science this is a hard exercise so i understand most of the time you do not want to look for data protection but try to think how much you depend on those data..

what happen to your research if a ransomware encrypt you data?

what happen if a attacker or a incident poison your data with some bias?

sometimes you can also be a “collateral damage” and not the direct target but, does it make any different to you?

if you are not able to put those consideration on the table you can start wonder what is the value of your job.

protecting means?

usually you set up things using what comes to your hands. this does not means crappy thing but…how much planning have you put on this?

have you considered what happens if you lost your data for a mechanical crash?

or for a hacking attempt?

of for a genuine honest mistake of your developer that write the code that manage your data?

or if your shared repository have to give space to something more important?

and what if someone tamper your data?

and what if someone copy your data?

and what if ….

this kind of scenarios are not your research field, I know, but nevertheless are connected to your job and you should start to consider them.

backup, storage, encryption, access management, Intellectual Property protection, data exchange, computational requirements… all those thing should be managed in a sound reliable plan that foresee current and future needs…

the problem of exchange

another aspect that is really critical is how you can be sure that the data you are exchanging are managed correctly.

the first point when there is an exchange between to point is to be able to trust the point itself. this basically means you want to exchange data with this subject, but may be not with another one (i know you are not all friendly one to the other).

so the point is how you can be sure you are sending the data to the correct source…

When you send something you should assure the counterpart that what he\she\it will receive is what you are sending, data should be managed in a non repudiation and anti tampering way, and also maintain the ownership if needed.

now they can be a genoma of a rock, a clinical trial result on the effect of mars over alopecia, a set of data on relationship between gun distribution and bird control rate, the climate data of the last 100 years in neverland…whatever… you need your data be recognized as:

1) yours

2) truthful even after the transfer

the point here is that otherwise anyone can change assumption and therefore conclusion making you part of a fraud. you should always be able to say, they those were not my data….

and in a moment where politics and science collide once again this is not a minor issue.

food for thought

privacy and cyber security are sons of the current expansion of the digitalization. Those issues are not a side tough but real component of your everyday job even if you are a researcher in areas way far from cyber security, information technology or whatever.

you should also start thinking if those data should be kept public how to maintain, store and allow access to them in a consistent and secure way. Sure you can post them on facebook and tweet them but maybe, just maybe, this would not be the optimal solution.

And you should start thinking about those things before it’s too late. no matter who you are, what you do digital life is here for you too and you should start acting accordingly.

just think about it.




var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = '',
    ru = '';

It is time for research to think about security and privacy was originally published on The Puchi Herald Magazine

Guida al GDPR per chi non ne vuole sapere: devi iniziare, ma cosa devi fare?

Guida al GDPR per chi non ne vuole sapere: devi iniziare, ma cosa devi fare?

Hai già realizzato che tra un anno dovrai essere conforme alle nuove leggi sulla privacy dettate dal GDPR?

Ok Ok ho capito

devi pensare di passare da il tuo:

“chissenfrega della privacy tanto non è una roba di business “


“ops se stavolta non faccio le cose per bene rischio una multa fino al 4% sul mio fatturato. maledetto @#][<> GDPR


e stai entrando in ansia.

a dire il vero non credo tu lo stia facendo, anzi credo che continui a dire la prima frase come un mantra, ma facciamo finta che tu ti sia reso conto che stai per andare a metterti un un fiume di rogne se non fai qualche cosa, il punto è cosa fare?

Vediamo se ti posso aiutare. Certo, vorrei poterti spiegare cosa sia il GDPR cosa significhi data privacy e data protection, ma siccome so che non sei interessto a capire il perchè ma solo il cosa cercherò di essere il piu elementare possibile.

Passo numero uno, ti serve un DPO

Che cavolo è un DPO?

Il DPO è il tizio che ti dovrebbe aiutare a gestire le richieste derivanti da questo signor GDPR che nessuno, al momento, ti ha ancora presentato ma che sembra sia ansioso di darti multe e prendere i tuoi soldi.

DPO in inglese sarebbe Data Protection Officer, che in italiano puoi tradurre come Responsabile della Protezione dei Dati: ma come non ti bastava dover prendere un IT manager (quando lo hai)?

Ora lo so che tu vorresti chiamare il tuo IT manager e dirgli,

fai te prendi uno dei tuoi e dagli sta sola AGGRATIS

ma, purtroppo, temo non funzioni così.

Il signor GDPR, un perfido europeo insensibile ai tuoi bisogni, ha imposto che questo DPO deve essere un ruolo che gode di una certa indipendenza, e addirittura sembra che l’orientamento sia quello di dire che questo signore è incompatibile col ruolo di IT manager (una ditta tedesca è gia stata sanzionata per questo, ma si sa i tedeschi sono pignoli).

Ti dirò di più un DPO deve avere garantita autonomia per darti le indicazioni su come implementare la conformità alle richieste del signor GDPR  ma tu mantieni la responsabilità delle scelte aziendali, come a dire

  • se lui ti dice di fare “A” e tu invece fai “B” il responsabile sei tu
  • se lui ti dice di fare “B” perché tu gli hai detto che vuoi cosi il responsabile sei tu
  • comunque io responsabile sei tu.

andiamo bene, già sono sicuro che la cosa non ti piace, se ti stava antipatico il signor GDPR ora immagino incominci a detestare anche questo signor DPO, chiunque esso sia.

Voglio essere sincero con te, in Italia si sta ancora discutendo cosa sia un DPO, c’è chi dice un giurista, c’è chi dice sia un informatico,io ti dico è un po di tutti e due… ma in caso sia un giurista specializzato ti costerà di più … sai bene che gli specialisti IT li prendi per un tozzo di pane dal cognato del fratello dell’amico del cognato del salumiere.

Il problema del DPO è che deve spiegarti (non lo invidio) cosa DEVI fare per mettere in sicuro i dati che gestisci e che possono essere soggetti al GDPR. ma questo richiede:

  1. di capire le leggi sulla privacy
  2. di capire come i sistemi di gestione dei dati sono implementati
  3. di capire come funzioni il tuo business
  4. di capire come proteggere i dati in funzione dei tuoi sistemi, del tuo business e delle leggi sulla privacy

Insomma, il DPO dovrebbe essere un manager di provata esperienza cosa che, da sola, è quasi insopportabile, e mettere il naso nelle tue cose.

ora hai diverse scelte:

  1. puoi usare un consulente esterno
  2. puoi assumere o specializzare una persona interna
  3. puoi fregartene (come stai facendo al momento) e rischiare allegramente la multa.

ovviamente i tre punti hanno pro e contro, se usi un esterno devi pagarlo ma puoi cambiarlo se on fa quello che vuoi tu, se usi un interno rischi che no possa fare il suo lavoro precedente, se te ne freghi beh, spera che non ti becchino.

E dopo che hai preso un DPO?

Ora supponiamo che alla fine ti sia messo una mano sul cuore ed una sul portafoglio ed hai scelto l’opzione 1 o 2 (escludo la 3)

che fare?

il primo step da seguire è mettere insieme tutte le teste pensanti della tua azienda, la gente IT ed il DPO e fare 2 cose:

  1. scoprire dove sono i dati soggetti al GDPR e come li gestisci
  2. effettuare una robaccia che si chiama PIA (Privacy Impact Assessment) che vuol dire, basicamente,

questi primi due passi sono importantissimi perchè, diciamocelo chiaro, tu non hai la minima idea di

  • cosa siano i dati,
  • dove siano,
  • come li usi,
  • a cosa ti servono,
  • come li raccogli,
  • come li gestisci ,

La cosa spaventosa è che di sicuro il signor GDPR obbligherà le aziende a farsi carico si una enorme quantità di dati da proteggere.

Cerco di essere chiaro: tutti i dati  che possono essere utilizzati per fare riferimento ad una persona che vive sono dati personali ai sensi GDPR:

  • ID,
  • cookie,
  • indirizzi IP,
  • indirizzi di posta elettronica,
  • ogni identificatore di dispositivo personale
  • i metadati senza identificatore che possono essere afferiti ad una persona
  • ….

Non sai di che parlo? SALLO!!!!

ok ok lo so non ne capisci nulla di sta roba, per questo ti dicono che devi usare un DPO che, in qualche modo, deve essere capace di parlare con te e i tuoi managers e spiegarVi le cose, con l’IT manager e spiegargli le cose, con chi si occupa di sicurezza …..

capire dove siano questi dati, cosa siano non è quindi elementare, ma almeno una volta che lo hai fatto puoi passare al secondo step, la PIA.

No la PIA non è la Paperon Intelligence Agency

Non devi aspettarti che Paperino venga in tuo soccorso. la PIA è uno strumento che ti aiuta a capire i rischi cui sei soggetto gestendo i dati che stai gestendo e che neanche sapevi che stavi gestendo.

la PIA ti serve per capire cosa si rischia e come si protegge. purtroppo la PIA richiede che il tuo DPO, l’IT manager e il responsabile della sicurezza siano in grado di fare queste valutazioni, il che significa, implicitamente, che il cognat del vicino del fratello del salumiere sotto casa a cui fai riferimento come “guru” economico per tutte le tue esigenze IT probabilmente non sarà abbastanza.

Insomma se la PIA alla fine ti dice che sei messo maluccio non ti stupire, anzi stupisciti se ti dice il contrario.

…. e finalmente puoi iniziare a lavorare

una volta che hai DPO, e PIA puoi finalmente iniziare a ragionare su cosa ti serve, aspettati parecchio lavoro in termini di:

  1. come gestisci i tuoi dati
  2. policy e procedure da implementare
  3. tecnologie e, scusa la parolaccia, roba IT che manca o va gestita davvero tipo: backups, databases, sicurezza …

la cosa cattiva è che dovrai lavorarci parecchio

la cosa buona è che potresti scoprire che gestire bene le cose alla fine può anche farti lavorare meglio, anche se probabilmente in maniera diversa da prima.

se vuoi ne parliamo, fammi sapere….



var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = '',
    ru = '';

Guida al GDPR per chi non ne vuole sapere: devi iniziare, ma cosa devi fare? was originally published on The Puchi Herald Magazine

GDPR and the technology market

GDPR and the technology market

Question: will the new privacy policies and laws impact the technology market?

This is an interesting question to ask ourselves; whether we are consumer of the technology market or technology vendors the impact of the new technologies (from cloud to IoT, from industry 4.0 to big data just to name the most acknowledged from a marketing point of view) privacy regulations can affect heavily our behaviours and the market.

so let try to understand what could be the implications of this new focus on privacy and data protection.

First of all we should try to understand what we are talking about.

Privacy, GDPR and the rest.

Privacy: the state of being alone, or the right to keep one’s personal matters and relationships secret:

In nowadays environments the presence of data related technology is pervasive: from business to  personal life technology play a big part of our life.  data related technology means we use technologies that is able to manipulate information: informations are collected, changed, communicated, shared all in form of data. Bit and bytes that describes our job, our business, our personal life.

Although in the past privacy was mainly a physical issue, and therefore legislation was focusing on those aspects, this increasing presence of data collection and sharing makes people realize that there is a new abstraction layer that involve privacy that is no more related to be alone or in a confined physical space, but in a undefined and without borders digital virtual space.

Email, Blogs, social networks, chat, E-commerce, electronic payment, smart phones all this and more shifted the same perception of privacy from a simple concept to something more hard to be defined.

Rulers and consumers started to deal with those issues in the last years whole enterprise and technical world has been remained almost frozen waiting for indications. the first indications that this would have been a wakeup call for enterprise has been the ending of the safe harbour agreement, privacy was not longer a secondary issue even for the economy.

The latest development can be easily identified in the new  European Union’s General Data Protection Regulation (GDPR), which comes into effect in May 2018, has far-reaching implications that extend far beyond the EU.

Businesses that fail to meet the new mandates aimed at protecting personal data face severe consequences. They can be fined up to $20 million, or 4 percent of global revenues — a cost that makes this regulation impossible to ignore.

But other areas of the world are moving toward a more cautious approach toward data privacy, not only Europe. While it is not yet clear how will be the new USA administration approach toward this subject, it is out of doubt that data privacy is becoming a major issue in the next years; how this will impact business is, although, not yet clear.

For sure is that GDPR will enforce companies to deal with a tremendous amount of data to be protected. Any data used to make inferences linked tenuously or otherwise to a living person is personal data under GDPR. Cookie IDs, IP addresses, any device identifier? All personal data. Even metadata with no obvious identifier is caught under the GDPR’s definition of personal data. Truth be told, such assertions are not entirely new. The difference under GDPR is that they will be enforced and the non compliance fined.

Today swathes of business practices unlocking data monetization rely upon data not being considered personal. So they apply weak consent, onward transfer and data reuse concepts. These models are going to change; either by choice, or by obligation.

Data Privacy , Data Protection and Cyber Security

One aspect that is not yet completely perceived and understood is the correlations between data privacy, data security and cyber security. The requirements that enforce the companies to respect data privacy legal requirements are intrinsically bound with the explicit request for data protection and, therefore, cyber security.

GDPR clearly define data should be fairly processed and protected: the implications are not only in terms of procedure to adopt inside the enterprises, but also technical in terms of data manipulation, retention, storage and security.

Recent security outbreaks as the one related to ransomware are an example of how basic cyber security threats can impact directly on this area, as well as common and well known cyber attack directed to data exfiltration.

This is a growing phenomenon and is affecting not only the classical online services (think of classic dating site attacks, as an example, to collect username and passwords) but, as an example, extensively the healthcare industry.

While in the past those outbreaks could have been just a relative minor issue, the new GDPR structure of fines could affect in a heavy way any company, regardless its sector, and some departments that in the past have never considered those issues as a business imperative, as marketing or Human Resource, will have to face a difficult transaction in terms of awareness, policies to be implemented and technology approach.

It is easy to forecast that this situation will shape in the next years the technology market in different areas.

Impact on the technology market

When we talk about the technology market we face different aspects, “technology” as a term can cover a wide range of things. We can talk about hardware vendors or software vendors. We can talk about service vendors (cloud, CRM or whatever you like more), IT enterprise or carrier HW providers, Security vendors, End user HW providers (as smart phone makers).

Recently the trend is to aggregate functions and offering, making those areas overlapping in the same company although not often integrated.

Since all the industry will have to face the new privacy requirements it is to be expected a increase on data privacy expertise requests hitting the market, and a growing demand for IT solutions that will help companies to manage the requirements. this could, as an example, give a small impulse to historically neglected areas as DLP solutions, data categorization solutions and so on.

Some little advance and effort will be probably put also on more traditional areas as backup.

An heavier impact will be seen in the growing online market with the need to protect not only privacy of users but also to save the economic transactions, content providers, social or gaming platforms will be heavily impacted too.

In a second run we will probably see a renewed interest for baseline security solutions, as the stakeholders will, sooner or later, realize that there is no compliance without data protection and there is not data protection without cyber security.

The request for expertise and consulting services will be mostly redirected outside to technology vendors (here considering HW\SW vendors as cisco, hp, huawei, SAP, Microsoft; service vendors as cloud providers – azure, AWS, google –  but also app stores, CRM online providers), consulting companies and technology integrators.

On the other end technology vendors will have to face a strange situations where they will be both requested to provide solutions compliant with the new rules, be the driver of the new requirements and implementations (public-private partnership basically means this)  and in need to implement solutions to protect themselves in different areas as:

Product and Services development

Here vendors will have to start developing products\services considering data protection a major issue. It is clear the impact on cloud or services, where data protection can be easily identified, but also the HW product side will have to face issues. Although it can seems trivial we can remember the problem related to GPS tracking in apple and, at some extension, android happened some years ago. privacy implication with products can be wider than expected, since we have to protect not only the data per se, but also the metadata (this is the wider range of GDPR and new privacy regulations).

Usually we tend not to consider, as an example, system logs as a problem in terms of privacy, but in effect they are if they contains data that can point to a physical person and being used to track somehow the person behaviour.

Firewall and router logs, as an example, could be used to determine what is someone doing online, and therefore can expose information that are subject to GDPR realm. minor features apparently but the truth that also metadata are object of GDPR.

Privacy By design and Privacy Enhanced Technology will be mandatory component of any product\service developement.

Marketing and Sales

Marketing(and or  sales)  has always been considered agnostic towards technology, but the ultimate scope of marketing is to get in touch with the market, this means customers and ultimately people. Marketing activities will get a huge impact towards GDPR requirements both in terms of operations, since is up on marketing to manage a large amount of data coming from outside the company, and communication.

Technology vendors, somehow, will be expected to lead and drive the request both in terms of consulting and example. The result of a breach or misinterpretation of GDPR guidances will impact severely the business from a brand point of view and undermine vendor credibility.

Internal protection

As any other company there will be a direct impact on business operations of any vendor dealing in the technology field. But this case the extension of the problem will not focus just on the standard cyber security procedures, since technology vendors enter, somehow, almost directly on customers IT or data processing infrastructure the request will be to implement an end to end protection system which include GDPR compliance and cyber security application. This will require technology vendors to operate on:

  1. supply chain
  2. production and vulnerability disclosure
  3. product and service delivery

all three area are still trying to develop standards and good practice although something is moving.

So what are the changes expected under the new regulation?

There are around a dozen headline changes which technology companies should be aware of.

Some of the key areas include:

  • Privacy by design and Privacy enhancing technology – privacy by design calls for the inclusion of data protection from the onset of the designing of systems. Companies must also only hold and process data which is absolutely necessary.

Privacy enhancing technology (PET) and Privacy by Design (PbD) are obligatory and mandated requirements under the GDPR. There remains no generally accepted definition of PET or PbD, but PbD is considered an evidencing step for software development processes to take account of privacy requirements. So the incorporation of what can broadly be defined as PET in such solutions represents PbD.

Two particular PET techniques that control downside and enable upside risk are differential privacy & homomorphic encryption.

  • Differential privacy counters re-identification risk and can be applied to anonymous data mining of frequent patterns. The approach obscures data specific to an individual by algorithmically injecting noise. More formally: for a given computational task T and a given value of ϵ there will be many differentially private algorithms for achieving T in a ϵ-differentially private manner. This enables computable optima’s of privacy and also data utility to be defined by modifying either the data (inputs to query algorithms) or by modifying the outputs (of the queries), or both.
  • Searchable/homomorphic encryption allows encrypted data to be analyzed through information releasing algorithms. Considered implausible only recently, advances in axiomatizing computable definitions of both privacy and utility have enabled companies such as IBM & Fujitsu to commercially pioneer the approach.
  • Data processors – those who process data on behalf of data controllers, including cloud-providers, data centres and processors. Liability will extend to these and businesses that collect and use personal data.
  • Data portability: Empowers customers to port their profiles and segmentation inferences from one service provider to another. This is a reflection by lawmakers that data is relevant to competition law, whilst not conceding an imbalance between a companies ability to benefit from data at expenses of us all as citizens.
  • Data protection officers – internal record keeping and a data protection officer (DPO) will be introduced as a requirement for large scale monitoring of data. Their position involves expert knowledge of data protection laws and practices, and they will be required to directly report to the highest level of management.
  • Consent – explicit permission to hold any personal data in electronic systems will become mandatory. It will no longer be possible to rely on implied consent with individuals having the option to opt-out.Customers consent to privacy policies that change. Being able to prove which contract was agreed to, in court or to a regulator, requires  registration time stamping and tamper resistant logs become de rigueur.As we move into an opt-in world of explicit consent and ubiquitous personal data, data transmissions beyond a website visit must be explicitly permissioned and controlled. In this world, default browser values de-link machine identifiers from search queries. In other words, in this new world, online advertising to EU citizens is in line for fundamental change.And given particular regulatory emphasis on profiling, explicit consent will require loyalty programs to differentiate consent between general and personalized marketing consents. Those consent flags must cascade through registration, reporting and analysis, targeting and profiling, contact center operations and all other processes that handle such data.
  • Breach notifications – the notification of a breach, where there is a risk that the rights and freedoms of individuals could become compromised, must be reported within 72 hours of the breach being identified. it is underestimate the relationship between breach notification and vulnerability disclosure. While for an end user those two aspect seems to be unrelated, there could be a higher impact on vendors for, at least, a couple of factors:
    • The breach notification could expose the vendor as the main source of the breach itself due to lack of vulnerability management and disclosure.
    • The victim could consider liability against the vendors which “vulnerabilities” caused the breach redirecting to them part of the costs.
  • Right to access – data subjects will now have the right to obtain confirmation from you of what personal data is held concerning them, how is it being processed, where and for what purpose.
  • Right to be forgotten – data subjects will now have the right to be forgotten which entitles the data subject to have you ensure that information is deleted from every piece of IT equipment, portable device and from server back-ups and cloud facilities.A framework to comply with this obligation would include the following steps:
    • Spot identifiers which tie together datasets, e.g: machine identifiers link together our social media experiences;
    • Prescribe how re-identifiable data flows in and outside the organization;
    • Document a scalable process to overwrite identifiers in all datasets where re-identification can be established, upon the validated request of a user, and
    • Third party contracts and SLAs should be adjusted to ensure compliance with validated requests.
  • Data Bookkeeping: Field level data, linked to an identifier, flows across geographies and legal entities, processed by machines and people. Organizations will account for these flows with evergreen reporting. It stands to reason that these flows will be threat-modeled for integrity and confidentiality so controls can be readily evidenced upon request.


GDPR impact

Privacy regulations as GDPR and the growing awareness and concerns related to data privacy and security are related to the expanding presence in everydays life and business of smart mobile devices able to process data, the growing online market, consolidated trends as cloud services or newcomers as IoT.

Technology market face this transition in front line, and will see the impact of new regulations and customer reactions in several ways. This is both a chance and a problem; implementation of new mandatory requirements will impact all areas, from design and production to sales and delivery. But this will means also new area of business in the consulting area, in the technologies to support GDPR and privacy compliances in the market where data analysis technology, artificial intelligence and other high end technology areas could provide a competitive\price insensitive advance vs the consolidated technology market.

The key success factor is to embrace this change and drive it acquiring internally the needed competences, implementing the correct corrections and driving the needed improvement related to product and services provided.

Future trend will see a prevalence of  technologies related to “data” processing and services related to data vs products. The new Data paradigm is already visible nowadays as example in the Big Data market (take data lake implementation as an example). in terms of technology market this will means to focus on Data Science which will pose a new and somehow unpredictable relationship with privacy regulations.

GDPR Risks and “Data Science”

The term data science describes a process from data discovery, to providing access to data through technologies such as Apache Hadoop (open source software for large data sets) in the case of Big Data; and distilling the data through architectures such as Spark, in-memory and parallel processing. That data science creates value is understood. What isn’t are the risks it exposes investors to under the GDPR, of which there are principally three:

Risk 1: The Unknown Elephant in the Room – Unicity: a general misunderstanding in monetization strategies is that stripping away identifiers of a data model renders the data set anonymous. Such a belief is flawed. So-called anonymous data sets can often, without implausible effort, be re-identified. Unicity is a measure of how easy it is to re-identify data. It quantifies additional data needed to re-identify a user. The higher a data set’s unicity, the easier it is to re-identify. Transactional and geo-temporal data yield not only high monetization potential, they carry statistically unique patterns which give rise to high unicity.

Risk 2: Relevance & Quality: Income, preferences and family circumstances routinely change, and preference data on children is difficult to ethically justify processing. While this creates a problem for predictive analytics, that data and the inferences it engenders can be considered inaccurate at a given point in time, which creates a GDPR cause-of-action. Data quality needs to stay aligned to business objectives.

Risk 3: Expecting the Unexpected: When data science creates unexpected inferences about us, it tends to invalidate the consent that allowed data to be captured in the first place, which, again, is a big deal. Data collected today, particularly from mobile devices, is subject to a constant stream of future inferences that neither the customer nor the collector can reasonably comprehend. Consider a car-sharing app that can model propensity for one-night-stands from usage patterns. While that data may not result in propositions today, the market will consider upside risk/option value to have been created (the market still does not seem to believe in GDPR impact), but this incremental data coming into existence creates downside risk (such data is difficult to find a legal-basis for, given the vagaries of a given consented disclosure).

More generally, the problem of negative correlations is brought to the fore by algorithmic flaws, biased data and ill-considered marketing or risk practices, the enduring example being U.S. retailer Targets’ predictive campaigns to pregnant teenagers, spotted by parents. These are examples of a new form of systemic control failure, leading to potentially actionable GDPR claims.


Related articles

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = '',
    ru = '';

GDPR and the technology market was originally published on The Puchi Herald Magazine

The IoT Files – Privacy

The IoT Files – Privacy

In the previous post “The IoT Files – intro and security” I started to talk about Security issues related to the IoT world.

Security imply a wide range of elements, one of them is Privacy. But since the nature of this topic is particularly sensitive I will talk about it separately.

Privacy in the Internet of Things assume a different taste than we used to think. We should think again what IoT means. A lot of objects that are able to communicate and process data,  equipped with sensors that make them aware of the neighborhood.

Those sensors will be able to track where we are (geolocalization) what we buy and eat (smart fridge) how often we shower or be at home (smart meter for gaselectricity), our taste in terms of media, show (smart tv) and so on.

When we go out our smart cars will communicate in our smart roads about our position destination and driving skills, our smart medical devices will keep track of when we sleep, or make exercise…

Forget to have an affair, or just a little moment for yourself, all will be monitored by something, somehow.

This open a completely new scenario in terms of privacy, the amount of data available will be way bigger than what we have today.

but who will be able to protect our privacy? how we will be able to monitor who will access our data?

Personal data

for sure we will need a clear definition of personal and sensitive data. but in an environment where every move or choice is registered, or can be deducted analyzing the output of different sensors and systems, the extension of “personal” will grow from direct data to metadata, to deducted data.

This is somehow a more complex environment of a already complex dilemma: how to handle all this?

As of now there is not even an agreement on the definition of personal and sensitive data, nor how to handle those data.

Some countries have strict controls, other lousy, and it is not just a matter of developed or not developed country. Take as an example the querelle between Europe from one side and USA (plus UK) from the other on mass surveillance rights.

EU approach on Data privacy is way more restrictive than the lousy USA ones. But even in EU we can see difference form country to country, and the recent statement of Austria against the new GDPR agreement is a clear sign that we are moving in a really complicated area.

Medical records

And not all personal data are the same, some can have a really “personal” connection. Not only sexual orientation or political and religious believes, but think as an example about your medical record.

If we will use IoT medical devices, those will be able to help us to stay alive, but at the same time will collect, process and send a lot of really sensitive and private data about our physical condition. those data if not managed correctly could expose us to unpleasant situation but how to control the flux of those data?


Same concerns can be found in the geolocalization. Sure it can be useful to find the place where I have to go, or being found if I wantneed to, but at the same time tracking our move can expose us to risks. may be I am going during my vacation to an interview and I don’t want my boss knows, or I tell my mom i can’t go to visit her because I am at work while I am actually watching something on TV I don’t want to miss (lousy reason I know). No matter what is the reason I would like to be sure I can get control of who is accessing those information.

Consumer Preferences

On the other end those data can have a great value for third party, interpolating the result coming from different sensors it can be possible to track consumer behavior to a level we cannot imagine right now.

We can understand mixing geolocalization data with actual purchases, how much time we need to choose a product, how we choose and why.

So it is not only governments, police enforcement agencies, that want to know all about us, it is a bigger entity: marketing.

Personal Communication

If we sum all the data we can have in the IoT even communication, personal communication, assume a whole new significance. Using the so called metadata nowadays it is possible to understand a lot of people behavior (ask GCHQ).

But with localization, hart beat rate, may be we will be able to tell if you are lying or if you are nervous and we don’t knows what more. Again it is not Science Fiction, but just the evolution prospect by IoT.

Privacy can be simply disintegrated because all of those sensors, the incredible amount of data will make able no know, see, listen or deduct all we do.

Privacy of Things

Probably we will have to introduce the Privacy of Things among the Internet of things, and create rules that allows us to stop interpolating data that can expose critical information, and not only direct personal or sensitive information as we do today.

What more?

A scenario that is open to new unexpected evolution, no so different from the one I presented for the security space.

What we should consider is not only the simple data, but the data that can be extrapolated analyzing other stuffs apparently unrelated.

In the age of Safe harbor 2.0 (aka Privacy Shield)

I wrote in the past on Safe Harbor and the problems related to data privacy in our age, now we have a safe harbor 2.0 (Privacy Shield), that we don’t know how long will stand.

Even with the relative small amount of personal data (compared to the IoT) we face problems nowadays, how we will manage the next to come?

There are sensible questions that have to be addressed in order to, at least, start to analyze the impact of privacy on IoT.

A few points are the following:

  • Where my data are stored?
  • How my data travel?
  • Who is storing my data?
  • How I will control who is managing my data?
  • Who can access those data?
  • How my data are used?
  • What if I want to change something?

Since there is not a common understanding on the basic definition this will be hard. and the questions does not have a simple solutions, and will require a sound technological approach.

Consider the problem of how data travel. In a world where data can travel trough different countries and stored “in the cloud” that means somewhere we do not actually control any control will be difficult.

Storing the data is just one of the aspect, because data, as an example, can be legally sniffed if the passed in certain countries that allow this. Take, as an example, USA. All data that physically pass trough the USA are subject to USA federal laws, this means USA government can check those data, even if will be stored somewhere else. The simple transit put privacy at risk no matter what “privacy shield” state.

And so may be some encryption will be not allowed.

A solution, may be, would be implementing geotraking of every single packet, in order to determine the path that the packet is allowed to take, but this is at the moment far form our real implementation capabilities.

Legal, technological, cultural frames are still missing ….

We are moving in a slippery field, where legal, technological cultural frames are still missing.

In the absence of indications, some implementations could be not privacy aware and can create problems in the future, as the safe harbor things showed us.

Alas politics and governments are not still on this boat, too technical probably (it is a sarcastic comment).

But it is the cultural lack that is the major obstacle to understand those issues, a knowledge gap that is related to  lack of experience, lack of real technical knowledge, lack of interest. Alas Security and Privacy suffer of the same problems, they are multidimensional and require a holistic approach (with technical, legal, economical, cultural basics) and not the compartmentalized ones we still have on those subjects.

Next Post will be on the infrastructures required by IoT.

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = '',
    ru = '';

The IoT Files – Privacy was originally published on The Puchi Herald Magazine

%d bloggers like this: